Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Snort Development » Snort TCP Alerts not occurring on x86_64 architecture...

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Snort TCP Alerts not occurring on x86_64 architecture...


Posted by rwhAlbany on February 24, 2006 18:27:16

Folks:

I have compiled the latest snort version v2.4.3 with MySQL support on a sun sunfire x2100 dual core opteron box using fedora core 4 kernel: 2.6.15-1.1831_FC4smp. I had no problem compiling. The issue I am having is with TCP alerts. I have 2 systems, one running snort with a 32 bit compile with the same version of linux and the other running the 64bit compiled snort. When both systems are looking at the same traffic using identical rule sets the 32bit snort compile works as advertised. The 64bit snort system does not report TCP alerts both does report UDP and ICMP related alerts.

If I run the 64bit compile snort in protocol analyzer mode it works just fine.

I will be glad to assist in resolving this issue for 64bit compiled snort…


Output of a portion from a statistic dump from each snort instance:

32bit snort:
========

Feb 24 14:57:17 localhost snort[14475]: ===============================
Feb 24 14:57:17 localhost snort[14475]: TCP Stream Reassembly Stats:

Feb 24 14:57:17 localhost snort[14475]: TCP Packets Used: 2092 (95.005%)

Feb 24 14:57:17 localhost snort[14475]: Stream Trackers: 73

Feb 24 14:57:17 localhost snort[14475]: Stream flushes: 51

Feb 24 14:57:17 localhost snort[14475]: Segments used: 187

Feb 24 14:57:17 localhost snort[14475]: Stream4 Memory Faults: 0

Feb 24 14:57:17 localhost snort[14475]: ===============================





64bit snort:
========
Feb 24 14:57:16 localhost snort[10195]: ===============================
Feb 24 14:57:16 localhost snort[10195]: TCP Stream Reassembly Stats:

Feb 24 14:57:16 localhost snort[10195]: TCP Packets Used: 2087 (94.993%)

Feb 24 14:57:16 localhost snort[10195]: Stream Trackers: 2076

Feb 24 14:57:16 localhost snort[10195]: Stream flushes: 0

Feb 24 14:57:16 localhost snort[10195]: Segments used: 0

Feb 24 14:57:16 localhost snort[10195]: Stream4 Memory Faults: 0

Feb 24 14:57:16 localhost snort[10195]: ===============================



Ronald W. Henderson

CTO UNIVERSAL Technologies, LLC


Posted by _vit_ on May 23, 2006 00:07:21

i've got the problem, too.
I don't know how but stream4 preprocessor cuts most of tcp trafic off
and snort detection engine produces no alerts

Posted by christian_hallqvist on April 02, 2007 07:08:19

I have the same problem on x86 64 architecture - no tcp alerts.
I am using red hat 2.6.9-42.0.10.ELsmp kernel and snort 2.6.1.3.
Did you find any solution to this?


Posted by christian_hallqvist on April 05, 2007 02:11:58

Ok it seems that snort generates tcp alerts on our x86 64 architecture
when I compile snort with -O1 instead of -O2. So in my case the problem is
somewhat resolved, I hope. I will however check if -O1 instead of -O2 causes
any substantial performance influence. GCC version is "3.4.6 20060404 (Red Hat 3.4.6-3)",
which today is a little bit old.

I also tried to compile snort with gcc "version 4.1.2" with -O2 option and that
works as well. However then other problem occur regarding mmap but at least
tcp-alerts reported.

site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.